Users can insert their own URL pointers into the program, which then issues an exploited PDF. Microsoft’s free anti-virus had blocked the attack (CVE-2010-0188) in a test and it was likely other platforms would raise flags too.

As is usually the case, unpatched users could fall victim. Again, unfortunately that is a large collection of possible victims.

Users could combine the tool with a free or paid automated phishing platform to create the attack system.

While uses for the bad guys are abundantly obvious, penetration testers and internal security teams can use it to launch attacks against staff to help improve social engineering awareness and defenses.

Claes Spett, a freelance security researcher, developed the tool while building a private exploit kit to hit organizations during penetration tests.